Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A communication device configured to selectively encrypt a data flow in a software defined network (SDN), the communication device comprising: a data bus; a communication interface in communication with the data bus, the communication interface to receive a plurality of unencrypted data packets originating from a data producing device in an electric power system; an SDN controller communication subsystem in communication with the data bus and to receive from an SDN controller a first criterion used to identify a subset of the plurality of unencrypted data packets in the data flow to be encrypted; an encryption subsystem to generate an encrypted data payload from an unencrypted data payload based on an encryption key, and configured to: identify unencrypted data packets to be encrypted based on the first criterion and comprising unencrypted routing information and an unencrypted payload; selectively parse each identified data packet to extract the unencrypted routing information and the unencrypted data payload; generate a hash message authentication code (HMAC); assemble a substitute packet comprising the unencrypted routing information and the encrypted data payload; and append the substitute packet with the HMAC; and, the communication interface configured to insert the substitute packet into the data flow directed to a data consuming device in the electric power system using the unencrypted routing information via the communication interface; wherein the HMAC is at least partially determined based on an identifier of a source of at least one of the plurality of unencrypted data packets, enabling a receiving device to identify the source based at least in part on the HMAC; wherein the first criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located.
A communication device selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parsing them to separate unencrypted routing information from the unencrypted data payload. It then encrypts only the data payload. A Hash Message Authentication Code (HMAC) is generated, partly using the packet's source identifier, allowing the recipient to verify the source. A new packet is assembled, containing the original unencrypted routing information, the newly encrypted data payload, and the appended HMAC. This substitute packet is then transmitted to the data consuming device using the unencrypted routing information.
2. The communication device of claim 1 , wherein the communication device is configured for use in a network that provides end-to-end encryption between the data producing device and a data consuming device that lacks encryption capabilities.
This communication device, as described in Claim 1, selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parses them to separate unencrypted routing information from the unencrypted data payload, and encrypts only the data payload. An HMAC is generated, partly using the packet's source identifier, allowing the recipient to verify the source. A new packet is assembled, containing the original unencrypted routing information, the encrypted data payload, and the appended HMAC. This substitute packet is then transmitted. This functionality specifically enables end-to-end encryption for networks where the data consuming device lacks its own encryption capabilities.
3. The communication device of claim 1 , further comprising: a decryption subsystem configured to generate an unencrypted data payload from an encrypted data payload based on the encryption key; wherein the communication interface is further to receive a plurality of encrypted data packets; wherein the SDN controller communication subsystem is further to receive from the SDN controller a second criterion used to identify a subset of the plurality of encrypted data packets to be decrypted; and further comprising a packet processing subsystem to: identify encrypted data packets to be decrypted based on the second criterion and comprising unencrypted routing information and an encrypted payload; selectively parse each identified data packet to extract the unencrypted routing information and the encrypted data payload; generate an unencrypted data payload using the encryption key; generate a second substitute packet comprising the unencrypted routing information and the unencrypted data payload; and transmit the second substitute packet using the unencrypted routing information via the communication interface.
This communication device, as described in Claim 1, selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a first criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parses them, encrypts only the data payload, generates an HMAC (partly using source ID), and reassembles and transmits a substitute packet with unencrypted routing information, the encrypted payload, and the appended HMAC. Additionally, the device includes a decryption subsystem. It receives encrypted data packets and a second criterion from the SDN controller for identifying packets to decrypt. For these identified packets, it parses them to extract unencrypted routing information and the encrypted payload, decrypts the payload using the encryption key, and then generates and transmits a second substitute packet containing the original unencrypted routing information and the now unencrypted data payload.
4. The communication device of claim 3 , wherein the second criterion comprises a determination that the data consuming device identified by the routing information and the communication device are both located at a common physical location.
This communication device, as described in Claim 3, selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system, encrypts specified packets (based on a first criterion where the consumer's location is separate), generates an HMAC, and transmits a substitute packet with unencrypted routing and encrypted payload. It also includes a decryption subsystem. It receives encrypted data packets and a second criterion from the SDN controller for identifying packets to decrypt. For these identified packets, it parses them to extract unencrypted routing information and the encrypted payload, decrypts the payload, and then transmits a second substitute packet with unencrypted routing and the unencrypted data payload. The second criterion specifically defines that decryption occurs when the data consuming device identified by the routing information and the communication device itself are both located at the same physical location.
5. The communication device of claim 3 , wherein the decryption subsystem is further configured to receive the HMAC appended to at least one of the encrypted data packets and to verify at least one of a source of the at least one of the encrypted data packets and a message integrity based on the HMAC.
This communication device, as described in Claim 3, selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system, encrypts specified packets (based on a first criterion where the consumer's location is separate), generates an HMAC (partly from source ID), and transmits a substitute packet with unencrypted routing and encrypted payload. It also includes a decryption subsystem. It receives encrypted data packets and a second criterion from the SDN controller for identifying packets to decrypt. For these identified packets, it parses them, decrypts the payload, and then transmits a second substitute packet with unencrypted routing and the unencrypted data payload. Furthermore, the decryption subsystem is configured to receive and use the HMAC appended to encrypted data packets to verify either the source of the packet or the integrity of the message.
6. The communication device of claim 1 , wherein the SDN controller communication subsystem is further configured to receive the encryption key from the SDN controller.
A communication device selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parses them to separate unencrypted routing information from the unencrypted data payload, and encrypts only the data payload. A Hash Message Authentication Code (HMAC) is generated, partly using the packet's source identifier, allowing the recipient to verify the source. A new packet is assembled, containing the original unencrypted routing information, the newly encrypted data payload, and the appended HMAC. This substitute packet is then transmitted. Importantly, the SDN controller communication subsystem also receives the encryption key directly from the SDN controller for use in this process.
7. The communication device of claim 6 , wherein the encryption key persists through multiple sessions with the SDN controller.
This communication device, as described in Claim 6, selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parses them, encrypts only the data payload, generates an HMAC (partly from source ID), and transmits a substitute packet with unencrypted routing and encrypted payload. The device receives the encryption key from the SDN controller, and this encryption key is designed to persist and remain valid across multiple communication sessions with the SDN controller.
8. The communication device of claim 1 , wherein the encryption subsystem is implemented in one of a field-programmable gate array and an application-specific integrated circuit.
A communication device selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parses them to separate unencrypted routing information from the unencrypted data payload, and encrypts only the data payload. A Hash Message Authentication Code (HMAC) is generated, partly using the packet's source identifier, allowing the recipient to verify the source. A new packet is assembled, containing the original unencrypted routing information, the newly encrypted data payload, and the appended HMAC. This substitute packet is then transmitted. The encryption subsystem performing these tasks is implemented in dedicated hardware, specifically a field-programmable gate array (FPGA) or an application-specific integrated circuit (ASIC).
9. The communication device of claim 1 , wherein the HMAC code is at least partially determined based on the encrypted data payload, enabling a receiving device to verify an integrity of the substitute data packet based at least in part on the HMAC code.
A communication device selectively encrypts data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device in an electric power system. An SDN controller provides a criterion specifying which packets to encrypt, based on the data consumer's physical location being separate from the device's own location. The device identifies these packets, parses them to separate unencrypted routing information from the unencrypted data payload, and encrypts only the data payload. A Hash Message Authentication Code (HMAC) is generated, enabling a receiver to verify the source. This HMAC is at least partially determined based on the encrypted data payload itself, which allows a receiving device to specifically verify the integrity of the entire substitute data packet. A new packet is assembled, containing the original unencrypted routing information, the newly encrypted data payload, and the appended HMAC. This substitute packet is then transmitted.
10. A method of selectively encrypting a data flow in a software defined network (SDN), the method comprising: receiving a plurality of unencrypted data packets originating from a data producing device; receiving from an SDN controller a first criterion used to identify a subset of the plurality of unencrypted data packets in the data flow to be encrypted; identifying a subset of the unencrypted data packets based on the first criterion each of the plurality of unencrypted data packets comprising unencrypted routing information and an unencrypted payload; selectively parsing each identified data packet and extracting the unencrypted routing information and the unencrypted data payload; generating a hash message authentication code (HMAC); encrypting the unencrypted data payload to generate an encrypted data payload using an encryption key; assembling a substitute packet comprising the unencrypted routing information and the encrypted data payload; appending the substitute packet with the HMAC; and transmitting the substitute packet to a data consuming device using the unencrypted routing information via an communication interface; wherein the HMAC is at least partially determined based on an identifier of a source of at least one of the plurality of unencrypted data packets, enabling a receiving device to identify the source based at least in part on the authentication code; wherein the first criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located.
A method for selectively encrypting data flows in a Software Defined Network (SDN). It starts by receiving unencrypted data packets. From an SDN controller, a criterion identifies which packets to encrypt, specifically if the data consumer's location is separate from the communication device's. The method identifies these packets, parsing them to extract unencrypted routing information and the unencrypted data payload. It then encrypts the payload using an encryption key. A Hash Message Authentication Code (HMAC) is generated, partly from the source identifier, enabling receiver source identification. A substitute packet is assembled with the original unencrypted routing, the encrypted payload, and the appended HMAC. This packet is then transmitted to the data consuming device using the unencrypted routing information.
11. The method of claim 10 , wherein the communication device is configured for use in a network that provides end-to-end encryption between the data producing device and a data consuming device that lacks encryption capabilities.
This method, as described in Claim 10, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing these packets to extract unencrypted routing information and payload, encrypting the payload using an encryption key, generating an HMAC (partly from the source identifier for receiver source identification), assembling a substitute packet with the original unencrypted routing, the encrypted payload, and the appended HMAC, and then transmitting this packet. This method is specifically configured for use in a network environment that provides end-to-end encryption between a data producing device and a data consuming device which itself lacks inherent encryption capabilities.
12. The method of claim 10 , further comprising: receiving a plurality of encrypted data packets; receiving from the SDN controller a second criterion used to identify a subset of the plurality of encrypted data packets to be decrypted; identifying encrypted data packets to be decrypted based on the second criterion and comprising unencrypted routing information and an encrypted payload; selectively parsing each identified data packet to be decrypted to extract the unencrypted routing information and the encrypted data payload; decrypting the encrypted data payload and generating an unencrypted data payload; generating a second substitute packet comprising the unencrypted routing information and the unencrypted data payload; and transmitting the second substitute packet using the unencrypted routing information via the communication interface.
This method, as described in Claim 10, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a first criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing these packets to extract unencrypted routing information and payload, encrypting the payload using an encryption key, generating an HMAC (partly from the source identifier), assembling a substitute packet with unencrypted routing, the encrypted payload, and the appended HMAC, and then transmitting this packet. Additionally, the method includes decryption capabilities: receiving encrypted data packets, receiving a second criterion from the SDN controller to identify packets for decryption, identifying and parsing these packets to extract unencrypted routing information and the encrypted payload, decrypting the encrypted payload to generate an unencrypted payload, generating a second substitute packet with the unencrypted routing and the now unencrypted payload, and finally transmitting this second substitute packet using the unencrypted routing information.
13. The method of claim 12 , wherein the second criterion comprises determining that a receiving device identified by the routing information and the communication device are both located at a common physical location.
This method, as described in Claim 12, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a first criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing and encrypting payloads, generating an HMAC, assembling and transmitting a substitute packet. It also includes decryption: receiving encrypted data packets, receiving a second criterion from the SDN controller to identify packets for decryption, identifying and parsing these packets to extract unencrypted routing and the encrypted payload, decrypting the payload, and then transmitting a second substitute packet with the unencrypted routing and the unencrypted payload. The second criterion specifically defines that decryption occurs when the receiving device identified by the routing information and the communication device itself are both located at the same physical location.
14. The method of claim 10 , further comprising generating an error detection code based on the encrypted data payload and wherein the substitute packet comprises the error detection code.
This method, as described in Claim 10, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing these packets to extract unencrypted routing information and payload, encrypting the payload using an encryption key, generating an HMAC (partly from the source identifier), assembling a substitute packet with the original unencrypted routing, the encrypted payload, and the appended HMAC, and then transmitting this packet. Furthermore, the method includes generating an error detection code based on the encrypted data payload, and this error detection code is also included within the substitute packet.
15. The method of claim 14 , further comprising generating a trailer for the encrypted packet and wherein the trailer comprises the error detection code.
This method, as described in Claim 14, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing and encrypting payloads, generating an HMAC (partly from source ID), assembling a substitute packet with unencrypted routing, the encrypted payload, the appended HMAC, and an error detection code based on the encrypted payload, and then transmitting this packet. Specifically, the method further comprises generating a trailer for the encrypted packet, and this trailer is where the error detection code is included.
16. The method of claim 10 , further comprising receiving the encryption key from the SDN controller.
This method, as described in Claim 10, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing these packets to extract unencrypted routing information and payload, encrypting the payload using an encryption key, generating an HMAC (partly from the source identifier), assembling a substitute packet with the original unencrypted routing, the encrypted payload, and the appended HMAC, and then transmitting this packet. An additional step in this method is receiving the encryption key directly from the SDN controller.
17. The method of claim 16 , wherein the encryption key persists through multiple sessions with the SDN controller.
This method, as described in Claim 16, selectively encrypts data flows in a Software Defined Network (SDN). It involves receiving unencrypted data packets, receiving a criterion from an SDN controller (based on the data consumer's location being separate from the communication device's) to identify packets for encryption, parsing and encrypting payloads, generating an HMAC (partly from source ID), assembling and transmitting a substitute packet, and receiving the encryption key from the SDN controller. The encryption key received from the SDN controller is configured to persist and remain valid across multiple communication sessions with the SDN controller.
18. A layer 2 switch configured to selectively encrypt a data flow in a software defined network (SDN), the switch comprising: a data bus; a communication interface in communication with the data bus, the communication interface configured to receive a plurality of unencrypted data packets originating from a data producing device; an SDN controller communication subsystem in communication with the data bus and configured to: receive from an SDN controller a criterion used to identify a subset of the plurality of unencrypted data packets in the data flow to be encrypted; a hardware-based encryption subsystem configured to generate an encrypted data payload from an unencrypted data payload based on an encryption key; a packet processing subsystem configured to: identify unencrypted data packets to be encrypted based on the criterion and comprising unencrypted routing information and an unencrypted payload selectively parse each identified data packet to extract the unencrypted routing information and the unencrypted data payload; generate an encrypted data payload using the encryption key; generate a hash message authentication code (HMAC); assemble a substitute packet comprising the unencrypted routing information and the encrypted data payload appended with the HMAC; and transmit the substitute packet to a data consuming device in an electrical power system using the unencrypted routing information via the communication interface; wherein the HMAC is at least partially determined based on an identifier of a source of at least one of the plurality of unencrypted data packets, enabling a receiving device to identify the source based at least in part on the HMAC; wherein the criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located.
A Layer 2 switch is configured to selectively encrypt data flows in a Software Defined Network (SDN). It receives unencrypted data packets from a data producing device. An SDN controller provides a criterion to identify packets requiring encryption, specifically when the data consuming device's physical location is separate from the switch's own location. A packet processing subsystem identifies these packets, parses them to extract unencrypted routing information and the unencrypted data payload. A hardware-based encryption subsystem then encrypts the data payload using an encryption key. A Hash Message Authentication Code (HMAC) is generated, partly from the source identifier of the packets, allowing a receiving device to identify the source. The packet processing subsystem then assembles a substitute packet, comprising the original unencrypted routing information, the encrypted data payload, and the appended HMAC. Finally, this substitute packet is transmitted to a data consuming device in an electrical power system, utilizing the unencrypted routing information.
Unknown
July 21, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.